[Firehol-support] DHCP firewall issue

Romeo Theriault romeotheriault at gmail.com
Sat Jun 10 04:36:07 BST 2006

Well, I did a bit of research about it on google and came up with  
this interesting tidbit on the netfilter mailing list.

On Monday 17 November 2003 4:35 pm, Chandana Bandara wrote:

 > Hi     Mr.Antony & ALL ,
 > iptables -P INPUT DROP
 > iptables -P FORWARD DROP
 > iptables -P OUTPUT DROP.........only with those policies ,
 > should block the all incomming , outgoing from the machine ?????

Assuming you have flushed the rules as well, with:

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

then no IP traffic will be allowed into, out of, or through, the  

 > This firewall running in my DHCP machne , but when a test with my  
 > clients ..........those machone has taken ips. but this can't happen
 > .....isit ? if i correct where can be tbe problem ?  
pls ..............guide
 > me

It is important to bear in mind that DHCP is a protocol used for  
giving IP
addresses to clients which don't currently have them, therefore the  
involved in client requests and server responses will not have normal IP
addresses as you might expect, simply because the (client) machines in
question don't have IP addresses until the protocol is complete.

A quick inspection with a protocol analyser such as ethereal will  
easily show
you what I mean here.

However, once the clients do have IP addresses, the above rules will
certainly prevent them from communicating with, or through, the  
netfilter box.

If you want to block the ethernet traffic involved in communicating  
the DHCP
packets in the first place you might like to investigate ebtables at
http://ebtables.sf.net instead of iptables, as this is more  
appropriate to
this purpose.



At least I feel a little safer now knowing that it's not a serious  
problem with my firewall. But it's also very interesting to know that  
IP tables won't block traffic that doesn't have an IP address yet. If  
I'm understanding this correctly.

I'll have to check out etables.



On Jun 9, 2006, at 9:51 PM, Carlos Rodrigues wrote:

> I've only briefly glanced through RFC2131(*), but it does seem to
> imply that DHCP should only use UDP (as does BOOTP).
> However, a "netstat -ap | grep dhcpd" shows an open "raw" socket. I've
> never tried to firewall dhcpd (but I too noticed that it works even
> with policy drop, no ports open), so I never gave it much thought, but
> if I'd have to guess, I'd say dhcp packets don't go through the IP
> stack (dhcpd decodes UDP/IP on its own, maybe because some IP stacks
> don't do anything until configured, which is a chicken-and-egg
> problem) and, as so, are invisible to netfilter/iptables.
> Is this so? I'm rather curious about this myself.
> (*) ftp://ftp.rfc-editor.org/in-notes/rfc2131.txt
> On 6/10/06, Romeo Theriault <romeotheriault at gmail.com> wrote:
>> Hi, I'm having a bit of an issue with dhcp while using firehol. I  
>> have
>> eth0 which servers my private lan and I have eth1 with access to the
>> internet and I'm routing the internal lan to the network. This works
>> fine. I have DHCP bound to eth0 so it can server ip's the the clients
>> on the lan. From my understanding of the firewall config I have below
>> DHCP shouldn't be allowing my clients to get a ip address, but they
>> are getting an ip address. This worries me. I would of thought that I
>> would have to type something like
>> interface eth0 dhcp
>>         policy return
>>         server dhcp accept
>> before my
>> interface eth0 lan
>>        etc.....
>> to get dhcp to work.
>> If someone could look at my config file below and tell me what I'm
>> doing wrong I would be very grateful.
>> Thanks.
>> Romeo
>> # Require release 5 of FireHOL configuration directives
>> version 5
>> # A space separated list of all the IPs on the internet, I trust
>> sshTrust=""
>> # The IP address of this Linux and LAN for the rest of the world
>> public_ip=""
>> # My LAN.
>>         interface eth0 lan
>>                 protection strong
>>                 server ident reject with tcp-reset
>>                 client all accept
>>         # Make sure the traffic coming in, comes from valid  
>> Internet IPs,
>>         # and that is targeting my public IP
>>         interface eth1 internet src not "$UNROUTABLE_IPS" dst  
>> "$public_ip"
>>                 # Protect me from various kinds of attacks.
>>                 protection strong
>>                 # Public servers.
>>                 server ssh  accept src "$sshTrust"
>>                 # Make sure idents do not timeout.
>>                 server ident reject with tcp-reset
>>                 # This is also a workstation.
>>                 client all accept
>>         # Route the LAN requests to the internet.
>>         router lan2internet inface eth0 outface eth1
>>                 # Masquerading on outface.
>>                 masquerade
>>                 # Route all specified requests from inface to outface
>>                 # and their replies back.
>>                 route http accept
>>                 route https accept
>>                 route dns accept
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/firehol-support
> -- 
> Carlos Rodrigues

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20060609/cfec02ef/attachment-0003.html>

More information about the Firehol-support mailing list